Insecurity proof failed resolving newsletter.postbank.de - but why?
Chris Thompson
cet1 at cam.ac.uk
Mon Jan 20 12:39:11 UTC 2014
On Jan 20 2014, Graham Clinch wrote:
>I'm seeing a dnssec validation error that I can't pin down, for the
>domain: newsletter.postbank.de.
>
>Neither of http://dnsviz.net/ and
>http://dnssec-debugger.verisignlabs.com/ report finding a problem, but
>two (ubuntu packaged) versions of bind report a failure validating the
>delegation as intentionally insecure.
>
>I've tried versions:
>
>BIND 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1
[...]
>and
>
>BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man'
[...]
I can reproduce the effect with BIND 9.9.4, 9.9.4-P2, 9.9,5b1.
I think the problem is as follows. The nameservers for postbank.de
generate a referral for newsletter.postbank.de which includes a
"minimally enclosing" NSEC3 like this:
o27g5ei98muhh7iemoihmbn83qndjsv1.postbank.de. 3600 IN NSEC3 1 0 1 \
8BB5BA1AF57572EE O27G5EI98MUHH7IEMOIHMBN83QNDJSV2
The salt is generated dynamically (different each time) and doesn't
match postbank.de's NSEC3PARAM, but that shouldn't matter. What
*does* matter is that the NSEC3 "proves" that there are no NS
records as well (as no DS ones) for newsletter.postbank.de
(despite the fact that the NS records are included in the referral).
Note the absence of opt-out in the NSEC3.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list